Re: [PATCH 0/9] namespaces: Introduction [message #3300 is a reply to message #3298] |
Sun, 21 May 2006 23:32 |
Herbert Poetzl
Messages: 239 Registered: February 2006
|
Senior Member |
|
|
On Sun, May 21, 2006 at 05:18:50PM -0600, Eric W. Biederman wrote:
> Pavel Machek <pavel@ucw.cz> writes:
>
> > Well, if pid #1 virtualization is only needed for pstree, we may want
> > to fix pstree instead :-).
yes, actually this and init itself (which uses the
pid to switch between init and telinit behaviour)
are the only two applications we found so far ...
and as far as I know, those work with non pid=1
values on other operating systems (inside containers)
a fix there would definitely be appreciated and
I think it would not hurt normal behaviour ...
> One thing that is not clear is if isolation by permission checks is
> any easier to implement than isolation with a namespace.
for the pid space, I'm not really sure if isolation
is really cheaper than virtualization, but for the
network space for example, a virtualization solution
which is as lightweigth as the isolation is probably
more challenging, although not impossible ...
> Isolation at permission checks may actually be more expensive in terms
> of execution time, and maintenance.
again, for the pid space, maintenance is quite low ..
best,
Herbert
> Eric
|
|
|